Malware

One of the issues malware writers deal with is having their programs load and execute on a victim’s computer. An unwary victim may click on an email attachment and have the malware run once. But in order to continue to be of value to the author, that piece of malware has to arrange for itself to be run after the computer inevitably gets rebooted. There are several well known ways to accomplish this task. The problem here is these methods are well known and security software know where to look. Which brings us to the topic of this blog entry. We recently came across a hacked copy of imm32.dll which is Microsoft’s Input Method Manager library. The authors inserted an extra imported library into the file’s import directory. The extra library name starts with “net” and the imported function name is randomized. ...

It’s time for your daily dose of “spot the fake program / avoid the fake program”. What is it this time? Well, if you have family members who are into webcams and chatting you might want to point them to this writeup because a new challenger has entered the ring: Yes, “Chat Cam” is a rather smart looking (and entirely fake) program designed to make end users think they’re taking part in a large community of webcam owners. Clearly, the creator had the recently launched Chatroulette in mind when they made this one (if you’re not familiar with it, Chatroulette is a site where you jump from webcam chat to webcam chat over and over again, all within one large community of strangers. In practice, you tend to mash the “Next” button endlessly as one “chat” after another fails to materialise). This is what Chatroulette looks like – you’ll notice the similarity as we move further into the writeup: ...

It’s been over a year since we first started seeing the familiar Windows XP My Computer page where it appears your drives are being scanned and it reports a bunch of non-existent malware on your computer. Yesterday I was investigating the latest hot news item where there was a FAMU (Florida Agricultural and Mechanical University) sex tape released on the internet and sure enough I found many SEO poisoned links claiming to have the video. Imagine my surprise when I saw the following. ...

Readers may well have read some of the news stories posted after yesterday’s news concerning the take down of the “Mariposa” botnet. So what is Mariposa? Mariposa is the name given to a particular botnet that started getting some attention during the first half of 2009. The botnet was dubbed Mariposa thanks to the name of one of the C&C servers that is used: butterfly dot sinip dot es since Mariposa is the Spanish word for butterfly. ...

Right! A site registered in the state of “Taliban.” You’re really going to go to a site with this registration: Nice work SANS. Thanks to Daniel Wesemann at SANS: http://isc.sans.org/diary.html?storyid=8350

In the same way that media event X guarantees Rogue Antispyware Y, a new and highly anticipated videogame that’s about ready to launch will similarly bring out the scams and fakes. If you have any family members that like their PC games but perhaps aren’t clued up on their Internet fakeouts, you might want to warn them that no matter how cool the so-called “Battlefield: Bad Company 2” keygens look, they should steer clear: ...

Here’s a new vector: exploiting a Windows vulnerability through an Internet Explorer help menu Visual Basic script: “get ‘em to hit F1 and you own ‘em.” Microsoft is warning of a VBScript vulnerability in Internet Explorer (on Win2K, XP and Server03) that could be used to run malicious code. A malicious operator could create a web site that displays a specially crafted dialog box and prompts a victim to press the F1 key (help menu.) The exploit could then execute malicious code on a victim machine. (Windows versions that are not vulnerable are: Vista, Win7, Server08 R2 and Server08.) ...

More than 60 websites have been found to be hotbeds for SEO poisoning. Each of these domains host hundreds of possible matches for search keys. Also, the topics in one domain overlap with that of the other domain, thus making it possible that they will both emerge in the search results. Topics range from the Winter Olympics Luge Crash to the death of Alexander McQueen and even to NASCAR Schedule. ...

In Additional to my last Post: http://boelectronic.blogspot.com/2010/03/free-fakeav-at-virus-total-thats-not.html VirusTotal.com [http://en.wikipedia.org/wiki/VirusTotal.com] is a brilliant site that helps both public and researchers alike determine if an executable file they have is potentially malicious or not. Julio Canto (of VirusTotal fame) has noticed that somebody decided to cash in on the good name of the site with the following domain: virus-total(dot)in Go there, and you’ll see a message claiming the site is a “free online antivirus scanning service, click SCAN to begin scanning:“ ...

VirusTotal has been well known to most readers of the blog. It’s a free virus and malware online scan service which allows submitters to test a particular file against a multitude of malware scanners. So, it’s not highly surprising that malware authors would try to use that name to further their gain. Today we came across such a sample arriving at one of our spamtraps through a car-related forum. The message looks like this: ...